Implementing and Evaluating Post-Quantum DNSSEC in CoreDNS

TL;DR

This paper integrates post-quantum cryptographic algorithms into CoreDNS to enable quantum-resistant DNSSEC, demonstrating compatibility and performance trade-offs for future secure DNS infrastructure.

Contribution

It introduces a CoreDNS plugin supporting five PQC signature algorithms, enabling quantum-resistant DNSSEC with maintained compatibility and performance evaluation.

Findings

PQC algorithms add operational overhead but are viable for DNSSEC transition.

Five PQC signature families supported: ML-DSA, FALCON, SPHINCS+, MAYO, SNOVA.

Benchmark results highlight security-efficiency trade-offs.

Abstract

The emergence of quantum computers poses a significant threat to current secure service, application and/or protocol implementations that rely on RSA and ECDSA algorithms, for instance DNSSEC, because public-key cryptography based on number factorization or discrete logarithm is vulnerable to quantum attacks. This paper presents the integration of post-quantum cryptographic (PQC) algorithms into CoreDNS to enable quantum-resistant DNSSEC functionality. We have developed a plugin that extends CoreDNS with support for five PQC signature algorithm families: ML-DSA, FALCON, SPHINCS+, MAYO, and SNOVA. Our implementation maintains compatibility with existing DNS resolution flows while providing on-the-fly signing using quantum-resistant signatures. A benchmark has been performed and performance evaluation results reveal significant trade-offs between security and efficiency. The results indicate that while PQC algorithms introduce operational overhead, several candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography.